Millions at risk: UEFI compromise leaves computers vulnerable

Researchers Discover Multiple Serious Vulnerabilities in Tianocore Edk II

Researchers from the French company Quarkslab have uncovered a series of serious vulnerabilities in Tianocore Edk II, which is an open implementation of the Unified Extensible Firmware Interface (UEFI) specification. These vulnerabilities, collectively known as Pixiefail, have the potential to result in code removal, service disruption, information leakage, remote code execution, DNS cache poisoning, and network session interception. The vulnerabilities were discovered during an analysis of Networkpkg, a provider of network configuration drivers and applications.

Several major manufacturers, including Microsoft, ARM, Insyde, Phoenix Technologies, and Ami, utilize the vulnerable module. The Chief Technical Director of Quarkslab has also confirmed the presence of vulnerable code in Microsoft’s adaptation of Tianocore Edk II, known as Project Mu.

The following CVE identifiers have been assigned to the nine vulnerabilities:

CVE IdentifierVulnerability Description
CVE-2023-45229Lack of integers when processing IA_NA/IA_TA options in the DHCPV6 Advertise message
CVE-2023-45230Buffer overflow in the client DHCPV6 due to the long option SERVER ID
CVE-2023-45231Reading outside the array when processing truncated options in the ND Redirect message
CVE-2023-45232Endless cycle when analyzing unknown options in the Destination Options header
CVE-2023-45233Endless cycle when
/Reports, release notes, official announcements.